Re: [Mageia-dev] Mageia Advisories Database
On Tue, 28 Jun 2011, Michael Scherer wrote: > Le mardi 28 juin 2011 à 16:23 +0200, Christiaan Welvaart a écrit : > > On Tue, 28 Jun 2011, nicolas vigier wrote: > > > > > In order to send updates advisories, and have a web page listing all > > > previous advisories, we need to create a database to store them. > > > > > > So I think it should have the following info for each advisory : > > > > > > - advisory ID: something like MGA-[NUMBER] ? > > > - advisory date > > > - affected source packages > > > - affected distribution versions > > > - CVE numbers > > > - list of binary packages with sha1sum > Is there people that really check them ? > ( since there is already gpg and checksum in rpm that can be checked > automatically, I do not see the point in having this when it requires > another manual check ) Most other distributions include this in their advisories. But yes, it's not very useful, so we can probably remove the sha1. > > > > - Mageia Bug # > > > - Reference URLs > > > - advisory text > > > > > > Anything else ? > > > > - severity > Adding severity would requires us to have precise rules about it, and > would not mean much, and likely lots of bike shedding about it. > > And also, what is the use precisely ? > > > - whether this is a security issue or a non-security bugfix > What if there is more than 1 fix ( like a firefox upgrade ) ? If at least one of them is security, then it's a security update.
Re: [Mageia-dev] Mageia Advisories Database
Le mardi 28 juin 2011 à 16:23 +0200, Christiaan Welvaart a écrit : > On Tue, 28 Jun 2011, nicolas vigier wrote: > > > In order to send updates advisories, and have a web page listing all > > previous advisories, we need to create a database to store them. > > > > So I think it should have the following info for each advisory : > > > > - advisory ID: something like MGA-[NUMBER] ? > > - advisory date > > - affected source packages > > - affected distribution versions > > - CVE numbers > > - list of binary packages with sha1sum Is there people that really check them ? ( since there is already gpg and checksum in rpm that can be checked automatically, I do not see the point in having this when it requires another manual check ) > > - Mageia Bug # > > - Reference URLs > > - advisory text > > > > Anything else ? > > - severity Adding severity would requires us to have precise rules about it, and would not mean much, and likely lots of bike shedding about it. And also, what is the use precisely ? > - whether this is a security issue or a non-security bugfix What if there is more than 1 fix ( like a firefox upgrade ) ? And what's the use ? I would recommend looking at CVRF and OSVDB, but that's only for security issues. -- Michael Scherer
Re: [Mageia-dev] Mageia Advisories Database
On Tue, 28 Jun 2011, Christiaan Welvaart wrote: > On Tue, 28 Jun 2011, nicolas vigier wrote: > >> In order to send updates advisories, and have a web page listing all >> previous advisories, we need to create a database to store them. >> >> So I think it should have the following info for each advisory : >> >> - advisory ID: something like MGA-[NUMBER] ? >> - advisory date >> - affected source packages >> - affected distribution versions >> - CVE numbers >> - list of binary packages with sha1sum >> - Mageia Bug # >> - Reference URLs >> - advisory text >> >> Anything else ? > > - severity > - whether this is a security issue or a non-security bugfix > (could be 1 field) What kind of severity classification should we use ? Something like redhat, with Critical, Important, Moderate, Low ? Or something more simple with only Critical and Normal ? Or no classification ? http://www.redhat.com/f/pdf/rhel4/SecurityClassification.pdf
Re: [Mageia-dev] Mageia Advisories Database
Le mardi 28 juin 2011 16:02:13, nicolas vigier a écrit : > On Tue, 28 Jun 2011, Samuel Verschelde wrote: > > Le mardi 28 juin 2011 15:20:33, nicolas vigier a écrit : > > > Hello, > > > > > > In order to send updates advisories, and have a web page listing all > > > previous advisories, we need to create a database to store them. > > > > > > So I think it should have the following info for each advisory : > > > - advisory ID: something like MGA-[NUMBER] ? > > > - advisory date > > > - affected source packages > > > - affected distribution versions > > > - CVE numbers > > > - list of binary packages with sha1sum > > > - Mageia Bug # > > > - Reference URLs > > > - advisory text > > - bugfix type: normal / security > > > > Anything else ? > > > > Is it for security bugs only or any update ? And will it be the central > > place where update messages are stored ? > > For both security and non-security updates, I forgot to add this info in > the list. > > This database will be used for : > - sending an email to updates-announce mailing list > - generate the descriptions file used by rpmdrake to show infos about >new updates > - a web page to list all updates > > > If possible, I'd like to be able to query such a database containing an > > update message for each update, and more information if needed, to able > > to display them for package updates in Mageia App Db. > > I think we can provide this as json. That would be great. Samuel
Re: [Mageia-dev] Mageia Advisories Database
On Tue, 28 Jun 2011, Romain d'Alverny wrote: > Hi, > > On Tue, Jun 28, 2011 at 15:34, Samuel Verschelde wrote: > > Le mardi 28 juin 2011 15:20:33, nicolas vigier a écrit : > >> In order to send updates advisories, and have a web page listing all > >> previous advisories, we need to create a database to store them. > >> > >> So I think it should have the following info for each advisory : > >> > >> - advisory ID: something like MGA-[NUMBER] ? > >> - advisory date > >> - affected source packages > >> - affected distribution versions > >> - CVE numbers > >> - list of binary packages with sha1sum > >> - Mageia Bug # > >> - Reference URLs > >> - advisory text > >> > >> Anything else ? > > If using SQL, make sure to normalize the db schema a bit (that is, for > instance, an advisory table, with a distributions table, and a > relationship). MDV security advisory web app had a single table, with > new columns added each time a new release was published and that was > really not good, neither safe to maintain. > > In this perspective, there could be the following tables: > - advisories (id, date, text, list of URLs, list of bug #) > - distributions (id, name) > - source packages (id, name, version) > - CVE numbers I am thinking about the following tables : - advisories : id, published, publish-date, update-date, text, severity - source-packages : packagename, filename, sha1, distribution, repository, version, advisory-id - binary-packages : packagename, filename, sha1, source-package-id - cve-numbers : cve-number, advisory-id - bugzilla-numbers : bugzilla-number, advisory-id - reference-urls : url, advisory-id > > Not sure about the rest; depends on the data details and what type of > queries would be expected: > - do we only query after the advisory id or do we plan to have stats > per distribution, source package? We can query by advisory id, source package, cve number, bugzilla number. And we can do stats. > - what screens do you expect? > - are there several CVE numbers for a single advisory? Yes. We can have several CVE numbers, source packages, bugzilla numbers, URLs, distributions, for one advisory. > - is there a link from source packages and binary packages? Yes.
Re: [Mageia-dev] Mageia Advisories Database
On Tue, 28 Jun 2011, nicolas vigier wrote: In order to send updates advisories, and have a web page listing all previous advisories, we need to create a database to store them. So I think it should have the following info for each advisory : - advisory ID: something like MGA-[NUMBER] ? - advisory date - affected source packages - affected distribution versions - CVE numbers - list of binary packages with sha1sum - Mageia Bug # - Reference URLs - advisory text Anything else ? - severity - whether this is a security issue or a non-security bugfix (could be 1 field) Christiaan
Re: [Mageia-dev] Mageia Advisories Database
On 06/28/2011 09:50 AM, Romain d'Alverny wrote: If using SQL, make sure to normalize the db schema a bit (that is, for - are there several CVE numbers for a single advisory? Yes, there could be -- Stew Benedict
Re: [Mageia-dev] Mageia Advisories Database
On Tue, 28 Jun 2011, Samuel Verschelde wrote: > > Le mardi 28 juin 2011 15:20:33, nicolas vigier a écrit : > > Hello, > > > > In order to send updates advisories, and have a web page listing all > > previous advisories, we need to create a database to store them. > > > > So I think it should have the following info for each advisory : > > > > - advisory ID: something like MGA-[NUMBER] ? > > - advisory date > > - affected source packages > > - affected distribution versions > > - CVE numbers > > - list of binary packages with sha1sum > > - Mageia Bug # > > - Reference URLs > > - advisory text - bugfix type: normal / security > > > > Anything else ? > > Is it for security bugs only or any update ? And will it be the central place > where update messages are stored ? For both security and non-security updates, I forgot to add this info in the list. This database will be used for : - sending an email to updates-announce mailing list - generate the descriptions file used by rpmdrake to show infos about new updates - a web page to list all updates > If possible, I'd like to be able to query such a database containing an > update > message for each update, and more information if needed, to able to display > them for package updates in Mageia App Db. I think we can provide this as json.
Re: [Mageia-dev] Mageia Advisories Database
Hi, On Tue, Jun 28, 2011 at 15:34, Samuel Verschelde wrote: > Le mardi 28 juin 2011 15:20:33, nicolas vigier a écrit : >> In order to send updates advisories, and have a web page listing all >> previous advisories, we need to create a database to store them. >> >> So I think it should have the following info for each advisory : >> >> - advisory ID: something like MGA-[NUMBER] ? >> - advisory date >> - affected source packages >> - affected distribution versions >> - CVE numbers >> - list of binary packages with sha1sum >> - Mageia Bug # >> - Reference URLs >> - advisory text >> >> Anything else ? If using SQL, make sure to normalize the db schema a bit (that is, for instance, an advisory table, with a distributions table, and a relationship). MDV security advisory web app had a single table, with new columns added each time a new release was published and that was really not good, neither safe to maintain. In this perspective, there could be the following tables: - advisories (id, date, text, list of URLs, list of bug #) - distributions (id, name) - source packages (id, name, version) - CVE numbers Not sure about the rest; depends on the data details and what type of queries would be expected: - do we only query after the advisory id or do we plan to have stats per distribution, source package? - what screens do you expect? - are there several CVE numbers for a single advisory? - is there a link from source packages and binary packages? Romain
Re: [Mageia-dev] Mageia Advisories Database
Le mardi 28 juin 2011 15:20:33, nicolas vigier a écrit : > Hello, > > In order to send updates advisories, and have a web page listing all > previous advisories, we need to create a database to store them. > > So I think it should have the following info for each advisory : > > - advisory ID: something like MGA-[NUMBER] ? > - advisory date > - affected source packages > - affected distribution versions > - CVE numbers > - list of binary packages with sha1sum > - Mageia Bug # > - Reference URLs > - advisory text > > Anything else ? Is it for security bugs only or any update ? And will it be the central place where update messages are stored ? If possible, I'd like to be able to query such a database containing an update message for each update, and more information if needed, to able to display them for package updates in Mageia App Db. Best regards Samuel
